Thresholds can be configured in the rules themselves, see
Rule Thresholding. They are often set by rule writers based on
their intel for creating a rule combined with a judgement on how often
a rule will alert.

Lets say we want to limit incoming connections to our SSH server. The rule
888 below simply alerts on SYN packets to the SSH port of our SSH server.
If an IP-address triggers this more than 10 or more with a minute, the
drop rate_filter is set with a timeout of 5 minutes.

When applied to a specific signature, thresholds and event_filters
(threshold from now on) will override the signature setting. This can
be useful for when the default in a signature doesn’t suit your
evironment.